- Affected version
- 2.2.16
Prerequisites
An error message stating that the required custom field is missing.
If the email address is already in use there is also an error stating this.
This allows large amounts of emails to be checked for already having an account by repeating those steps.
Suggested Mitigation
CAPTCHA already helps (a bit) with this, but further mitigation seems to make sense
- At least one custom field is required to be filled out during registration
- Open the registration form
- Using browser developer tools, remove attribute
requiredfrom the required custom field - Enter a random gibberish username
- Enter the email address to check
- Fully complete the registration form and submit it
- Examine the results
An error message stating that the required custom field is missing.
If the email address is already in use there is also an error stating this.
This allows large amounts of emails to be checked for already having an account by repeating those steps.
Suggested Mitigation
CAPTCHA already helps (a bit) with this, but further mitigation seems to make sense
- Limit the amount of registration attempts a single IP address can make within a certain time (like login strikes)
- If there are multiple errors and the email address is already in use don't show this error but only the other errros
This slightly decreases usability but would IMHO be acceptable to harden the registration process - Optionally fully ban an IP address if it exceeds X "email already in use" errors
